• Chris Silvers

Happy Hour, Bingo, and OSINT CTFs @ NolaCon 2022

Nola's Top Shelf Hackers

This past weekend Kris and I headed west to the Big Easy for NolaCon 2022 to host another, you guessed it, OSINT CTF. While there we got to hang out with some friends, old and new, play a wonderful round of buzzword bingo and enjoy the happiest of hours CG Silvers style.

The contest was a blast, and we even had some returning champions back to not only defend, but surpass their previous titles. Read more from the winners below.

Winner’s Circle

In Third Place - Walmart Greeters

Walmart Greeters, with their oh so aspirational name, took third place in our OSINT CTF this past weekend. They put up quite the fight for the entirety of the contest, and certainly earned their third place position.

1. Why did you decide to join the OSINT CTF?

R - I’ve always had a passion for the idea that you could take a single piece of information – an IP, a username, an email – and find out so much from just firing off a very small piece of information. I’ve also done some of the TraceLabs ones and it's just rewarding and fun.

2. What was the hardest flag to find? If you found it, how did you do it?

R - The vehicle of Chris Wall – his first primary vehicle. I struggled with where to go. Would it be a picture he took on social media? Or maybe what type of database I could access like maybe a car registration and then maybe find it.

C - Were you able to find that one?

R - No. I pulled up a list of the top 100 cars in America and I was just kinda YOLO-ing. Camry, Civic, Accord…etc. Because I knew he was kinda a younger guy so it's gotta be something like that.

C - I think it turned out, if I remember right I’m not exactly sure, I think it turned out to be a Cavalier or a Corvair maybe.

For the entire final hour of the contest, Walmart Greeters remained vigilant in holding their third place position, which is quite an impressive feat. R and I talked about his passion for OSINT, though, and that passion is certainly what allowed his team to stay on the leaderboard.

3. Did you learn a skill or tool that you’ll take with you after the contest?

R - Not tools, but communication with my teammates I would say. We just had a Google Doc where we were dumping everything. So just working as a team in an effective manner and making sure we are not all trying to go after the same question.

In Second Place - A Brazilian Hax

For those of you who follow us on Twitter, this team name might sound familiar to you. That would be because they won 3rd place in our OSINT CTF just four weeks ago at CypherCon, and not to mention their headliner is the most iconic nerdy rapper in the game, Dual Core himself. They followed (stalked) us out to good ‘ole Nola to defend their title and then some.

1. Why did you decide to join the OSINT CTF?

D - Free candy.

C - Is that really what you want your answer to be?

M - OSINT is fun!

D - And you roped us into doing this interview.

2. What was the hardest flag to find? If you found it, how did you do it?

D - The manager's name for target number one.

C - Did you ever find that one?

D - No. Probably because they didn't consent to recording.

M - STOP! The hospital one was also difficult.

One of mine and Kris’s favorite things about these conferences is the connections we make, and getting to hang out and have old friends compete in the competition is definitely a highlight for us. Even when they *claim* we forced them into an interview without their consent.

3. Did you learn a skill or tool that you’ll take with you after the contest?

D - Not for me, but I was very tunnel visioned in this competition. I pretty much stuck to LinkedIn and Twitter and Facebook. Whereas in other ones I’m searching in search engines and finding new things.

MK - Yeah I used all the things I’ve seen before. It was mostly Twitter, Bing – which I never actually use, but I had to reset my computer and it is the default search engine. But Bing and DuckDuckGo were actually the two big one’s for me.

M - For me a lot was new because OSINT here is very different from OSINT in Brazil. Like Spokeo is big for Americans, I guess. What I did find, that I have never found in any OSINT ever, was obituaries. I never had the need to go through an obituary.

In First Place - Milkshakes

Our first place winners were OSINT pros, but CTF rookies. Them being new to the game did little to deter their experienced skill though, clearly. Like Walmart Greeters, they stayed in the top three for the entire final hour of the contest, but didn’t take their first place position until just ten minutes left. One of my favorite things about these contests is, it doesn’t matter how many OSINT CTFs you’ve done, it can always be anyone’s game, and these guys proved just that.

1. Why did you decide to join the OSINT CTF?

M - We’ve done OSINT before for our professional lives but we’ve never done it in a fun capacity and this is a great way to enjoy ourselves.

M2 - My understanding is, I used to work with her and I’ve done OSINT and I used to think that I hated humans and didn’t want to do the OSINT CTF, but I decided to try it anyway and it was a lot of fun!

C - You can do OSINT and hate humans at the same time.

M - I actually think it's easier to do OSINT when you hate humans.

C - OSINT with a grudge. I like it, grudge OSINT.

2. What was the hardest flag to find? If you found it, how did you do it?

M - I think the address was probably the hardest one. The street number, specifically, because of the limited number of guesses. If there weren’t limited guesses it would have been a lot easier because we could have brute forced it a little faster but we really had to sit and wait until we found it.

C - That’s exactly why we limited the guesses. We didn’t want it to fall prey to brute forcing. And so how did you end up finding the address? Because I know a lot of people had trouble with that one.

M - So Spokeo had the first two numbers and then a blank and the actual street name. And we tried the first one first and it didn’t work and then we realized it had to just be the two numbers and then went on a different site and found it.

Our rookie competitors took quite the lead in the end, finishing out the game an impressive 110 points above their second place opponents. It just goes to show how applicable an OSINT CTF can be to your professional life. Most of our competitors gain more experience from competition, whereas Milkshakes came out with their experience in the bag, and decided to have some fun with it.

3. Did you learn a skill or tool that you’ll take with you after the contest?

M - A surprise for me was if you scroll back far enough, even those that think they have privacy controls on social media, do not have privacy controls on social media. So target 1’s wife for example, the first three of four obstacles for us was that it was only profile pictures. It had looked like she had locked down all her accounts. But if you kept scrolling from like, four years ago on it was every post that she’d ever posted. And that’s how we found both his birthday and their marriage date. It's how I found his profile in general because he was tagged in her posts.

Overall we had an absolutely wonderful time at NolaCon 2022. We want to thank everyone who made our OSINT-CTF possible, from our contestants, to the conference organizers, our lovely volunTARGETS, and especially our sponsors IntelTechniques. We look forward to seeing you all next year at NolaCon 2023, and be sure to meet up with us in October of this year at GrrCon for our next contest!

36 views0 comments